Federation registry


Published on

Published in: Technology
  • This is a preliminary overview of Gluu's Federation Registry subscription service. Federations can be use to lower the costs of SAML or OpenID Connect networks of identity providers, websites, and mobile apps. The Federation provides a workflow for on-boarding websites, apps and IDPS. It drives down the cost of publication of certificates. There are many other benefits... check out the slides.
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Federation registry

  1. 1. 8/27/2013 http://gluu.org Federation Registry
  2. 2. SAML OpenID Connect UMA How can states support numerous applications who want to use their open interfaces for authentication and authorization? Websites SaaS Apps Mobile Apps
  3. 3. Multi-Party Federation Approach… • Federations provide the “tools” and “rules” to protect privacy while driving down the costs for both the State and application developers • Federations are a proven approach: they are widely used in Higher Education and government – http://www.gluu.co/.hdr8
  4. 4. To be successful federations have to “Ease the On-boarding” with a simple process to Join – Provide Registration • Applicants agree to the participation agreement and submit their certificate via a management website – Vet participants • The federation reviews the application, and ensures the applicant qualifies to participate in the federation – Collect fee • It is common to collect setup and subscription fees to offset the cost of managing the federation infrastructure
  5. 5. The Participation Agreement – Specifies Privacy Protections • Species the Levels of Assurance (LOA) from the identity provider that an accurate authentication has been achieved • Specifies the Level of Protection (LOP) from the website or mobile application as to what security is in place to protect a person’s data from loss • The Level of Control (LOC) a person has to access, correct or remove their data – Standardize Terms and Conditions – Clarify Policies and Operating Procedures
  6. 6. The Federation publishes the schema or words used by the Participants – Attributes of the Person • Piece of information about the person • AKA “user claims” – mail, phone, address, state, grade, age… – Authentication Mechanisms • You need to make sure the apps request the right kind of authentication – http://www.example.com/schema/authn/auth_mode/myMobileToken – http://www.example.com/schema/authn/auth_level/9 – Authorization Scopes • You need to make sure the apps request the right kind of authentication – http://www.example.com/schema/authz/grade1 – http://www.example/schema/authz/teacher – http://www.example.com/schema/authz/principal
  7. 7. The federation publishes the nightly “metadata” – A file that contains the official list of the participants of the federation (at the time of publication) • http://www.incommon.org/federation/metadata.html – Publishes the certificate of each participant – A place for the federation to publish other information about the participant’s role
  8. 8. Federation Registry – Provides scalable administration interface for the federation operator – Open source web application developed by the Australian higher education federation – Deployed in several other countries: Ireland, Switzerland – Enables websites to enter all the information that is needed by the federation and handles the approval workflow
  9. 9. What does the Gluu Federation Registry Subscription Include – Deployment of the Federation Registry application on an existing customer IAAS or Gluu Server – Quick start generating the Participation Agreement—will require review and modification by the State – Creation of initial schema for attributes, authentication, and authorization – Development of a operations guide for Registry Administrators – Monitoring / Support of the Federation Registry Server
  10. 10. Future proofing… – Current federations are defined using SAML, however federations are not limited to supporting one protocol – OpenID Connect Federation standards are evolving : • http://www.gluu.co/multi-openid-wiki